API Reference

How to automate obfuscation using the REST API.


The REST API allows external systems to submit scripts to the obfuscation engine.

Authentication

The API requires an API key. Create and manage keys in the Account tab of the dashboard.

Include the API key in the Authorization header using the Bearer schema.

Authorization: Bearer YOUR_API_KEY

API Versioning

The current active version of the Obscurau API is v2. All endpoints should be prefixed with /v2/ (e.g., https://api.obscurau.net/v2/obfuscate). Older endpoints (such as v1) are considered deprecated and may no longer receive updates or support the latest engine options.


Obfuscate

POST https://api.obscurau.net/v2/obfuscate

This endpoint accepts a Lua/Luau script and engine configuration parameters. On success, it returns the obfuscated script as a downloadable file.

There are three ways to submit your script:


Method 1: File Upload (multipart/form-data)

Upload your .lua or .luau file directly. This is the simplest method for scripts of any size.

FieldTypeDescription
scriptfileRequired. The .lua or .luau file to obfuscate.
datastringA JSON string containing targetVersion, optimizationLevel, and options.

Example (curl):

curl -X POST https://api.obscurau.net/v2/obfuscate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "script=@./my-script.lua" \
  -F 'data={"options":{"targetVersion":"Roblox","optimizationLevel":"Level 2","intenseVmStructure":true,"disableLineInformation":true}}' \
  -o output.lua

The filename is read from the uploaded file. You can override it by adding a filename key inside the data JSON.


Method 2: Base64-encoded JSON

Encode your script to base64 before sending. This prevents JSON escaping issues for scripts with special characters.

FieldTypeDescription
scriptBase64stringRequired. Base64-encoded source code.
filenamestringThe original filename (e.g., script.lua). Auto-generated if omitted.
optionsobjectRequired. Engine options (including target and optimization level).
curl -X POST https://api.obscurau.net/v2/obfuscate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "scriptBase64": "'$(base64 -i ./my-script.lua)'",
    "filename": "my-script.lua",
    "options": {
      "targetVersion": "Roblox",
      "optimizationLevel": "Level 2",
      "intenseVmStructure": true,
      "disableLineInformation": true
    }
  }' \
  -o output.lua

Options Schema

The options object configures how the engine obfuscates your script. Some options require specific plans.

OptionTypeDescriptionRequired Plan
targetVersionstringRequired. The target runtime (Roblox, FiveM, Luau, LuaJIT, Lua 5.1 - Lua 5.5, World of Warcraft, Garry's Mod, Warcraft 3).All
optimizationLevelstringRequired. The optimization strength (Level 1, Level 2, Level 3).All
disableLineInformationbooleanRemoves debug line mapping for smaller output size.All
prettyPrintbooleanFormats output with indentation instead of minification.All
enableFfiLibrarybooleanPreserves FFI specific logic for LuaJIT targets.All
intenseVmStructurebooleanEnhances VM instruction complexity to combat static analysis.Starter+
useDebugLibrarybooleanAdds anti-tamper checks utilizing the debug library.Starter+
staticEnvironmentbooleanInlines environmental globals for speed and security.Starter+
enforcePlaceIdLockboolean(Roblox only) Prevents script from running outside authorized Place IDs.Professional+
enableGcFixesbooleanHardens garbage collection loops for complex states.Business+
vmCompressionbooleanCompresses the bytecode payload aggressively.Business+
enableCompatibilityModebooleanEnsures maximum compatibility across custom executor environments.Business+
hardcodeGlobalsbooleanDirectly hardcodes environment calls instead of fetching them.Business+
licenseKeystringBinds the output to a specific license key validation system.PAYG+

Response

Success (200 OK)

The response body contains the obfuscated script as a binary file download (Content-Type: application/octet-stream). The Content-Disposition header provides a suggested filename.

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="main.obfuscated.lua"

Save the response body directly to a file (use -o output.lua with curl).

Error (4xx / 5xx)

On failure, the response is a JSON object with an error field.

{
  "error": "targetVersion is invalid"
}

Common error codes:

StatusMeaning
400Invalid request body, missing fields, or invalid option values.
401Missing or invalid API key.
403Plan restriction (e.g., option requires a higher plan) or not enough tokens.
405Wrong HTTP method (use POST).
408Request timeout. Job is queued but took >55s to complete and continues running in background. You can poll the job status using the jobId returned in the response.
429Too many requests. Concurrent obfuscation limit reached for your plan.
500Engine execution failed. Tokens are automatically refunded on engine errors.

Check Job Status

GET https://api.obscurau.net/v2/obfuscate/:jobId

If your initial POST request times out with a 408 status code, the background obfuscation engine will continue processing your script. You can poll this endpoint using the jobId returned in the 408 response to retrieve the status or download the completed file.

Path Parameters

ParameterTypeDescription
jobIdstringRequired. The UUID of the job returned from a 408 Request Timeout response.

Example (curl):

curl -X GET https://api.obscurau.net/v2/obfuscate/fc230067-dce9-4748-884c-1ab131a2f0e7 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -o output.lua

Responses

202 Accepted (Still Processing) The job is still in the queue or running. Wait a few seconds and try again.

{
  "status": "running",
  "jobId": "fc230067-dce9-4748-884c-1ab131a2f0e7"
}

200 OK (Success) Returns the obfuscated script as a binary file download (Content-Type: application/octet-stream).

404 Not Found The jobId is invalid, expired (jobs are cleared after 7 days), or does not belong to your account.

4xx / 5xx (Failed) The engine failed to obfuscate the script. Tokens are automatically refunded.

{
  "error": "Engine execution failed",
  "status": "failed"
}